Countdown to Extra Time
The Act of Ukraine on Making Changes and Amendments to Some Acts and Regulations of Ukraine to Strengthen Acts on Liability for Violation of Personal Data Protection Legislation (the Act) came into force on 1 January 2012. According to the Act all databases have to be registered before 1 January 2012. In fact, liability for the breach of data protection legislation has been postponed till 1 July 2012.
The Act introduces administrative and criminal liability for violations of law, in particular: for non-registration of databases and usage of information without obtaining consent of individual. The rate of fines for administrative violation varies from UAH 1,700 to UAH 17,000.
We have asked legal practitioners to share their views regarding the activities of companies before enactment of the amendments, ways of realization and protection, as well as controlling mechanisms in the area of personal data.
The threat of administrative and criminal sanctions should encourage companies to bring their business processes into line with data protection regulations. A six month grace period is a good opportunity to do it substantively and systematically.
Generally, to comply with the Personal Data Protection Act, before enactment of the above-mentioned amendments, every company should do the following:
— Audit/check every database used in its operational activities in order to identify those containing personal data. At this stage, it may turn out that almost every company’s database contains certain data relating to individuals. This results in the need to restructure, optimize, reorganize, and rearrange the databases and their contents thereof to make data flow more transparent, efficient and ensure a due level of personal data protection;
— Develop internal regulations and procedures, including the Data Processing and Protection Regulations; draft template documents for data processing routines, as well as appointment of data protection officer(s);
— Obtain permission from individuals, whose personal data is processed by the company and notify them on processing of their personal data as required by the Act. Depending on the scope of personal data, number of individuals and other specifics, the company may choose various approaches to collecting permission and delivering notifications;
Postponement of liability for the breach of data protection regulations may positively affect the climate in the area
— Register databases containing personal data with the Ukrainian Data Protection Authority; and
— Monitor the company’s compliance on a regular basis, which may include processing of requests from individuals who are data owners, ensuring an appropriate level of data protection, communication with the regulator, etc.
It is expected that the postponement of liability for the breach of data protection regulations may positively affect the climate in the area: the Data Protection Authority will have extra time to clarify grey areas in data protection legislation, while the business may have more time to bring its operations into conformity with the Act, complete the procedures as described above, and have everything structured in the due way.
However, the extension obviously will not remove the risks related to potential lawsuits filed by individuals who are owners of personal data. Thus, regardless of administrative and criminal sanctions, the companies should be ready to deal with civil proceedings initiated by citizens claiming breach of their personal data protection rights. To mitigate these risks the processes of collecting consents and notifying the individuals (if not started yet) should be launched at the earliest convenience.
The rationale for postponing the statute’s coming into force is that it will give companies and individuals an opportunity to make necessary steps aimed at ensuring compliance, which also includes registration of personal databases with the State Service of Ukraine for Personal Data Protection, with the Personal Data Protection Act of Ukraine.
But it should be admitted that registration of numerous personal databases, which is being performed by officers of the State Service, fails as such to attain the ultimate goal, as the average person cannot request information about owners and/or administrators of databases that process this person’s personal data from the State Register. Information contained in the register shows only the quantity of relevant databases kept by a given business but nothing more.
Under such circumstances, it seems practical to remove a provision requiring mandatory technical registration of existing personal databases with the State Register from the Personal Data Protection Act of Ukraine.
It seems practical to remove a provision requiring mandatory technical registration of existing personal databases with the State Register
Furthermore, provisions of Article 182 of the Criminal Code of Ukraine, which, when it comes into force on 1 July 2012, will introduce liability for the illegal collection, keeping, using, destroying and disseminating of confidential information about a person or illegal altering of such information, also call for change. In our opinion, illegal collection, storage, use, destruction and dissemination of confidential information should be punishable under the said statutory provision only in cases when such information was obtained from personal databases.
Control over compliance by individuals or legal entities with Ukrainian legislation on protection of personal data is exercised by the State Service of Ukraine on Personal Data Protection (the Service). The processor or controller of personal database may be inspected by the Service pursuant to the scheduled inspection or on the basis of someone’s complaint submitted to the Service. As a rule, such complaint shall be accompanied by the documents evidencing the committing of an offence. Still, as information on the Service’s practical activity is very scarce, it is not definitely clear what evidence can be regarded as being sufficient.
Should, upon the completion of the inspection, the Service identify the offence, it shall issue an order on cessation of the offence. However, should there be a grave offence or a processor/controller fail to perform the requirements of the orders in a timely way, the Service draws up an administrative protocol on offences identified. One should point out that there is neither methodology nor uniform approaches as to calculation of the precise sums of a fine by the Service, which may lead to abuse of the authority by the Service. However, the final amount of fines is determined by a court on the basis of the administrative protocol drawn up by the Service.
In general, the mechanism of control over compliance with personal data protection law meets international standards. The main concern relates to possible abuse by state bodies of their rights vested by the law, especially those on bringing individual or legal entities to criminal liability.
Controlling mechanisms in the area of personal data protection are currently under development. The order of audits of holders/managers of personal data is not yet developed for the State Service on Personal Data Protection (hereinafter — the Service). Such audits, both scheduled and unscheduled, are envisaged by the Regulation of this agency.
Nevertheless, officials of the service described in general terms their position regarding imposition of penalties. Penalties for the offense specified in Part 1 of Article 188-39 of the Administrative Offences Code of Ukraine (failure to notify or untimely notification of a subject of personal data about his/her rights in connection to inclusion in the database of personal data) would be applied for each such offense regarding each individual. That was the explanation given by the head of the Service in a media interview.
This may mean the following. If a company’s database contains personal data about two hundred people and none of them is notified about his/her rights, the budget may get between UAH 1 million to UAH 1.7 million. According to Part 1, Article 188-39 of the Code, the fine can reach UAH 3,400 — 5,100. Each subsequent offense is qualified as “repeated within one year” (Part 3, Article 188-39), which increases the sum of the fine: UAH 5,100 — 8,500. For the above example of two hundred people, the minimum fine is calculated as follows: 3,400 + (5100 x 199) = UAH 1,018,300.00, and the maximum: 5100 + 8500 * 199 = UAH 1,696,600.00.
It is obvious that for a small business entity results of such audit may be fatal and its managers will be ready to do anything to prevent the disaster. Only practice can demonstrate if officers of the Service are able to abstain from abuse. And the experience of other regulatory agencies is not favorable in this regard.